FAMOUS TO INFAMOUS? The fall of the WannaCry hero


US prosecutors have confirmed that Marcus Hutchins, a 23-year-old British computer expert and security researcher, has been pleaded ‘not guilty’ of developing software that harvests bank details.

Marcus Hutchins shot to fame earlier this year when he alone stopped the famous WannaCry ransomware outbreak. However, on 2nd of August, Hutchins was arrested in Las Vegas in an interesting turn of events where he himself is now on the wrong side of the law. Hutchins is accused by the FBI of six charges of creating, selling and distributing unrelated malware. He has pleaded ‘not guilty’ to the charges.

Marcus Hutchins, right. Photograph: Joshua Lott/AFP/Getty Images


The malware in question, Kronos, is a kind of banking Trojan that exists for the sole purpose of breaking into an online bank account and transferring its money to different accounts (controlled by criminals).

Both Hutchins and a co-defendant (who has not been named) have been accused of distributing Kronos on online criminal forums, and profiting from its sales.



On 12th of July, a U.S. District Court issued the indictment, alleging that Hutchins “created the Kronos malware.” Evidence to back up this statement was given in the form of a video posted by the co-defendant “showing the functionality of the ‘Kronos banking Trojan’ [which] was posted to a publicly available website.” on 13th of July, but was taken down on 3rd of August.

The indictment includes details of the six counts, such as how the defendants “knowingly cause[d] the transmission of a program” which would “intentionally cause damage without authorization to 10 or more protected computers”.

Other allegations include:

  • August 2014
    • the co-defendant tried selling the Kronos malware
  • January 2015
    • the Kronos malware was updated by Hutchins and the co-defendant
  • April 2015
    • the Kronos malware was advertised by the co-defendant on the dark-web, AlphaBay Market (that has now been shut down)
  • June 2015
    • a version of Kronos was sold by the co-defendant “for approximately $2,000” (in cryptocurrency)
  • July 2015
    • “crypting” services were built and offered by the co-defendant, which aimed to evade security software’s detection by encrypting some of the malware’s activities


Criminal intent?

It is fairly clear that the majority of the allegations appear to lay with Hutchins’ co-defendant, with Hutchins himself only being directly accused of the malware’s development and updates.

Hutchins has actually stated on his blog that yes he DID create simple malware… but it was for research only; and yes he DID release some of its code… but this is a normal move for legitimate malware researchers.

He also was incredibly open with sharing and showing how malware operates on his YouTube page, which is also not an unusual feat.

Essentially, this openness teamed with the fact that a) the majority of the allegations are against the co-defendant and b) there does not yet seem to be intent behind selling the malware, has started a new debate as to where the line of crime is.

Crucially, it is NOT a crime to create or sell malware. However, it IS a crime to sell malware with the intent to further someone else’s crime. So did Hutchins commit a crime?

It is entirely possible that the malware code made by Hutchins was incorporated into legitimate malware, whether he knew about it or not. Here’s where the difficulty comes in. It will be up to the courts to decide whether there was intent behind the actions.


One area that surely will be acknowledged in the case will be Hutchin’s positive role in the stopping of the WannaCry attack.

As the WannaCry outbreak spread to hundreds of thousands of computer accounts in organisations such as the NHS, Hutchins became an overnight hero when he ‘sinkholed’ a command-and-control server in one of the ransomware’s worms.

Basically, the ransomware was programmed to only take instructions from one specific web domain… but this domain was unregistered. Once Hutchins had identified this flaw, he registered the domain himself , therefore taking the traffic from WannaCry, and the infection stopped on his test machines.

Malware researchers often do their work on virtual test machines that, whilst not actually being connected to it, mimic the entire internet. WannaCry had an automatic ‘kill switch’ that shut down the operation in this instance, so the infection stopped and Hutchins was the saviour.

But, again, where are the lines between the crime, the programmer and the offender?



Cyber Forensic Examiner, Mike Roberts believes this arrest could be the start of a new understanding of the ambiguity of the digital world and its criminals:

“The arrest of Marcus Hutchins has thrown into stark relief the unusual nature of cyber crime and its suspects.

I attend events and conferences where Law Enforcement and those involved in cyber security mingle with persons whose motivations are not necessarily the same as mine. It is hard to make an analogy, but imagine a trade conference where cops, drug dealers and pharma companies all met and talked about their industry. This would include talks by some of the best drug dealers, obviously.

For me, it highlights the fluid and unique nature of digital crime and its offenders.”

What now?

As this fluidity and uniqueness of digital crime and it’s participators becomes more highlighted, the issue of criminal intent also becomes more promenant.

Marcus Hutchins has pleaded ‘not guilty’ to the charges of creating and selling malware designed to steal people’s online banking details, but this is perhaps not as surprising it initially seems (seeing as the evidence of his dealings with the malware is strong). To convict, it would have to be proved that there was intent behind the creation and sales, which, with the ambiguity shown in this article, is incredibly difficult.


This information is correct as of 15th of August 2017.

To learn more about ransomware cyber attacks, click here.